How to manage secret values with docker-compose v3.1?

Introduction

As developers, we frequently need to incorporate private data into our applications, including passwords, API keys, and database credentials. Not only is it unsafe to hardcode these variables into our code or configuration files, but it can also be challenging to manage and change them when necessary.

Using environment variables, which let us keep sensitive data apart from our codebase and configuration files, is one method to manage secret values. In this article, we'll look at how to maintain secret values using docker-compose v3.1 and inject them as environment variables into our containers.

Prerequisites

To follow along with this tutorial, you will need to have Docker and docker-compose v3.1 installed on your machine. You can use the following commands in your terminal to see if you have these utilities installed −

$ docker --version 
$ docker-compose --version

Methods

There are several methods that we can use to manage secret values with docker-compose v3.1.

Some of these methods include the following −

• Using environment variables

• Using .env file

Let us discuss each of these in detail now with examples.

Using environment variables

One way to manage secret values with docker-compose v3.1 is to use environment variables. Environment variables are key-value pairs that are passed to a container at runtime. They can be set in the docker-compose file, or they can be passed in from the host machine.

Example 1

To set an environment variable in the docker-compose file, we can use the environment key under the service that we want to set the variable.

Step 1 − Navigate to your project directory in your code editor.

For using your terminal to navigate, use the following command −

$cd /directory-path

Step 2 − In your docker-compose.yml file, specify the environment key under the service that we want to set the variable.

version: "3.1" 
services: 
web: 
   image: nginx:latest 
   ports: 
   - 8080:80 
   environment: 
   - API_KEY=123456

Step 3 − Add the corresponding Dockerfile named “Dockerfile” in the same directory without the following content −

FROM nginx:latest 
EXPOSE 80 
ENV API_KEY=123456

Step 4 − Run and build this docker-compose now by running the following command in the terminal −

$docker-compose up

Output

[+] Running 1/1
- Container examp2-web-1 Recreated                    0.9s
Attaching to examp2-web-1
examp2-web-1 | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
examp2-web-1 | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
examp2-web-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
…
examp2-web-1 | 2023/01/09 17:53:54 [notice] 1#1: start worker process 38
examp2-web-1 | 2023/01/09 17:53:54 [notice] 1#1: start worker process 39
examp2-web-1 | 2023/01/09 17:53:54 [notice] 1#1: start worker process 40

Using .env file

Another way to manage secret values with docker-compose v3.1 is to use a .env file. A .env file is a file that contains a list of key-value pairs that are passed to a container at runtime. The docker-compose file and the.env file must both be in the same directory.

Step 1 − Navigate to your project directory in your code editor.

Step 2 − Create a file called .env in your project directory.

Step 3 − To use a .env file with docker-compose v3.1, we can set the environment variables in the .env file using the api key command like this −

API_KEY=123456

Step 4 − Use the following command to run the .env file in the terminal.

$ cat .env

Output

API_KEY=123456

Step 5 − Create a docker-compose.yml file in the same directory and then reference these environment variables using the ${VAR_NAME} syntax −

version: "3.1" 
services: 
 web: 
   image: nginx:latest 
   ports: 
   - 8080:80 
   environment: 
   - API_KEY=${API_KEY}

Step 6 − Use the following command in the terminal to output the contents of the docker-compose.yml file −

$ cat docker-compose.yml

Output

For Output Code pre classversion: "3.1"
services:
web:
environment:
- API_KEY=${API_KEY}

Step 7 − Run this file in the terminal using the terminal −

$ docker-compose up

Output

[+] Running 1/0
- Container examp2-web-1 Created 0.0s
Attaching to examp2-web-1
examp2-web-1 | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
examp2-web-1 | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
examp2-web-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
examp2-web-1 | 10-listen-on-ipv6-by-default.sh: info: IPv6 listen already enabled
examp2-web-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
examp2-web-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
examp2-web-1 | /docker-entrypoint.sh: Configuration complete; ready for start up
examp2-web-1 | 2023/01/09 18:04:52 [notice] 1#1: using the "epoll" event method
examp2-web-1 | 2023/01/09 18:04:52 [notice] 1#1: nginx/1.23.3
examp2-web-1 | 2023/01/09 18:04:52 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
examp2-web-1 | 2023/01/09 18:04:52 [notice] 1#1: OS: Linux
…
examp2-web-1 | 2023/01/09 18:04:52 [notice] 1#1: start worker process 29
examp2-web-1 | 2023/01/09 18:04:52 [notice] 1#1: start worker process 30
examp2-web-1 | 2023/01/09 18:04:52 [notice] 1#1: start worker process 31
examp2-web-1 | 2023/01/09 18:04:52 [notice] 1#1: start worker process 32
examp2-web-1 | 2023/01/09 18:04:52 [notice] 1#1: start worker process 33

Conclusion

In this article, we have explored several methods for managing secret values with docker-compose v3.1. We can use environment variables, .env file, and Docker secrets to store and manage sensitive data in a secure manner. We also looked at various examples to implement the same. By using these methods, we can avoid storing secret values in plain text within our codebase and reduce the risk of security vulnerabilities.